By Abhishek Paul IRMCert, IRM Ambassador for India, Associate Vice President: Natwest Markets Controls Assurance Lead, RBS Business, India

An effective risk culture is one that enables and rewards individuals and groups for taking the right risks in an informed manner.

So let’s take a more real life situation to understand the importance of an effective risk culture and taking the right risks.

At your home you would usually have a window adjacent to your door or a door eye to check who’s there when you hear the doorbell ring.

Let’s assume that you don’t have either of those – you would probably try and ask who’s there before opening the door to an unknown stranger, as without analysing who it could be as you may encounter the risk of burglary or in the worst case scenario it could be a life threatening situation.

What if (God forbid) you do indeed encounter such an incident despite having some basic access controls to your home in place, would you not become more aware of the threats and maybe install a security alarm or maybe CCTV cameras or even go to the extent of hiring a guard? You probably would right? But how do you decide on how much cost you should incur to mitigate the risk at hand? You would probably identify what are the key risks you face in this situation:

1. Loss of assets/personal property

2. Loss of lives

Maybe the next step would be to measure the risk of loss, which could be financially quantified in case of point 1 but may be much more than just financial loss if incident 2 happens, this is what we in risk management would call value at risk.

Once you have identified your key risk and the value at risk maybe you would want to control some of the aspects of the loss which maybe either through:

1. Transfer of risk of loss i.e. insurance;

2. Terminate to some extent by shifting your valuable jewellery / belongings to a bank locker instead of keeping them at home or

3. Treat the risk and mitigate it to some extent by having a security system or a security guard.

You may also choose to tolerate your risk as the cost of implementing a control may be outside your budget, but the risk of loss maybe within your appetite. Let’s say in this case the CCTV investment is too large for you to make and you realise that it may just be a deterrent and not actually a mode to mitigate the risk of someone trespassing on your premises – so you decide to only install a burglar alarm and not a CCTV recording system. This is exactly what risk management calls risk appetite.

Unless you have defined your risk appetite you would not be in a position to choose an appropriate mode of mitigation of the risks which you do not choose to accept or tolerate but rather treat, transfer or terminate it.

You may also from time-to-time choose to re-evaluate or re-assess the situations and circumstances and continuously analyse the potential risk of loss that may not remain consistent and based on this analysis you would probably end up reassessing the material risks for you and need to repeat this process on a periodic basis. This in short would be your life-cycle to manage the risk we just discussed.

Organisational risk life-cycle is not very different from this process but just needs a bit more of focus, education, training and embedding this culture of evaluating risk at each level of your business.

I firmly believe that it is never too late to consider embedding a risk culture unless you decide to accept or tolerate all the risks facing your organisation or your business, but you do need to start educating staff and embedding risk culture within your 1st Line of Defence (1st LoD) (through risk management qualifications) instead of having complete dependencies on only your 2nd Line of defence (2nd LoD) as your 1st line is the closest to your business and will have much more insight into the day-to-day risk exposure and form almost like a security alarm (1st LoD) rather than a CCTV (2nd LoD) and hopefully make your risk exposure management robust enough to mitigate the chances of issues being investigated (3rd LoD which happens to be an Audit Team).

In case you missed it, read part 1 here.

Read IRM’s Risk Culture Guide for Practitioners here.

Start today and get your business risk qualified with the Institute of Risk Management as it will not only help in effectively embedding risk culture but also raise the potential of taking the right risks!

IRM has a range of short and in-house courses covering everything from the Fundamentals of Risk Management, Practical Risk Appetite & Tolerance, Risk Culture and Embedding Risk Management to name but a few. More here | IRM Training